How Trust Works

Figure 2–10 Trust and Secure Conversation

To establish trust between a client, a Security Token Service, and a
web service:

The client establishes an HTTPS connection with the Secure
Token Service using one of the following methods:

Username Authentication and Transport
Security: The client authenticates to the Security Token Service
using a username token. The Security Token Service uses a certificate to authenticate
to the Client. Transport security is used for message protection.

Mutual Authentication:
Both the client-side and server-side use X509 certificates to authenticate
to each other. The client request is signed using Client’s X509 certificate,
then signed using ephemeral key. The web service signs the response using
keys derived from the client’s key.

The client sends a RequestSecurityToken message to the Security
Token Service.

The Security Token Service sends a Security Assertion Markup
Language (SAML) token to the Client.

The client uses the SAML token to authenticate itself to the
web service and trust is established.